If you've been hearing or reading about the latest DNS (Domain Name System) flaw, you may be confused about how to defend yourself. Think of this as a cheatsheet, it's what you need to know in the fewest words possible.

The flaw is mostly with software on a server computer run by your Internet Service Provider (ISP).* Some ISPs have patched the vulnerable DNS software on their computers, some have not. A recent list is available here. That said, Windows users also need to be sure they are up to date on patches as Microsoft released a recent DNS patch for Windows XP, 2000 and Server 2003. Windows Vista does not need to be patched.

DNS server computers translate the name of Internet-resident computers into numbers. Every computer that is reachable over the Internet is assigned a unique number (it's a bit more complicated, but this is essentially true). What is, to you, www.cnet.com, is to the computers on the Internet 216.239.113.101.

This number is called an IP address and yes, those are periods rather than commas. You can see this for yourself, by entering an IP address directly into the address bar of your web browser. For example, CBS owns CNET. You can see what's on CBS tonight at both

The danger with the current DNS flaw is similar to someone modifying a phone book. Suppose you wanted call the Post Office to tell them to stop your mail for a few weeks while you won't be home. You look up the Post Office phone number in a hacked phone book and instead of calling the actual Post Office you end up calling bad guys and telling them when they can safely come and rob you.

Everything you do online depends on translating the name of a website (or email server or any other computer) into an IP address. The recently discovered DNS flaw, lets the bad guys control this translation. Thus, they can steer people to fake websites. Input sensitive information or passwords at a fake website and you can kiss your identity goodbye.

What to do?

My preferred defense is to use OpenDNS. I wrote about this back in December:

There is also a very simple online test of whether the DNS servers you are currently using are vulnerable to this bug at
www.doxpara.com. Click on the "Check My DNS" button.

Another test is available at www.dns-oarc.net/oarc/services/dnsentropy, click on "Test My DNS". If all is well, it will report "GREAT" for both the source port randomness and the transaction ID randomness.

About the author

Michael Horowitz wrote his first computer program in 1973 and has been a computer nerd ever since. He spent more than 20 years working in an IBM mainframe (MVS) environment. He has worked in the research and development group of a large Wall Street financial company, and has been a technical writer for a mainframe software company.

He teaches a large range of self-developed classes, the underlying theme being Defensive Computing. Michael is an independent computer consultant, working with small businesses and the self-employed. He can be heard weekly on The Personal Computer Show on WBAI.